From c2de388e9dc5b0f7e3161191b9d9f093ce6f80e0 Mon Sep 17 00:00:00 2001
From: root <root@localhost>
Date: Sun, 12 Jan 2025 02:30:56 +0300
Subject: [PATCH] printui.exe lolbas request

---
 yml/OSBinaries/printui.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 yml/OSBinaries/printui.yml

diff --git a/yml/OSBinaries/printui.yml b/yml/OSBinaries/printui.yml
new file mode 100644
index 0000000..1694a18
--- /dev/null
+++ b/yml/OSBinaries/printui.yml
@@ -0,0 +1,25 @@
+---
+Name: printui.exe
+Description: Malicious dll file load to memory via printui.exe
+Author: 'Yasin Gökhan TAŞKIN'
+Created: 2025-01-12
+Commands:
+  - Command: start "%SystemDrive%"\Windows\System32\printui.exe  
+    Description: Detects potential DLL sideloading of "printui.dll". While using legit "printui.exe" it can be abused to attach to an arbitrary process and force load DLL named "printui.dll" from the current directory of execution.
+    Usecase: Execute dll file
+    Category: Execute
+    Privileges: User
+    MitreID: T1574.002
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: DLL
+Full_Path:
+  - Path: C:\Windows\System32\printui.exe
+Detection:
+  - Sigma: https:https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+  - IOC: Load malicious DLL image 
+Resources:
+  - Link: https:https://www.linkedin.com/pulse/uncovered-lolbas-yasin-g%C3%B6khan-ta%C5%9Fkin-gnpwf/?trackingId=WvE5YmopTtyh%2FuvEPcpyZQ%3D%3D
+Acknowledgement:
+  - Person: Yasin Gökhan TAŞKIN
+    Handle: '@TaskinYasn'